About outgoing feeds

Configure outgoing feeds to publish cyber threat intelligence through the platform to instrument external tools and devices, and to share intelligence with selected recipients within the organization, as well as with external third-parties.

Outgoing feeds are a powerful tool to disseminate intelligence and to promote constructive collaboration, as well as to programmatically act on intelligence by automating tasks in your security toolchain.

For example, an external device can receive platform data through an outgoing feed, and it can react to it by initiating predefined actions such as closing open ports or blacklisting malicious IP addresses and domain names.

Once it is set up and it is running, an outgoing feed provides a data stream that the intended recipients can consume.

EclecticIQ Platform uses outgoing feeds to publish and share cyber threat intelligence in multiple formats through a number of configurable transport channels.

  • You can share intelligence with co-workers and teams within the organization, as well as with external recipients such as clients and consumers.

  • You can use outgoing feeds to route platform data to external devices to initiate follow-up actions based on the data type being transmitted, and on the receiving system or device.

A minimal outgoing feed configuration includes:

  • A data source: the data source of an outgoing feed is always a dataset.

    You can configure as many datasets as necessary to act as sources for an outgoing feed.

    Data sources can be existing incoming feeds and enrichers, as well as existing platform user groups.

  • A transport type: the vehicle carrying the data.

    Typically, this is a communications protocol such as TAXII, HTTP, FTP, IMAP, or Syslog.

  • A content type: the outgoing data format the platform is publishing through the outgoing feed.

    For example, STIX, JSON, CSV, or plain text.

  • An update strategy: the condition(s) defining how content is selected for inclusion in the outgoing feed.

    For example, you can choose to include in an outgoing feed task run only new content, as well as both new and existing content.

About update strategies

Update strategies help define how content is aggregated and packaged for publication when an outgoing feed task runs:

  • Append: the published packages contain only new entities and observables ingested in the platform after the previous execution of the outgoing feed.

    Every time the outgoing feed task runs, it generates the content for publication by retrieving only new, unpublished entities and observables.

  • Replace: the published packages contain new entities and observables, as well as existing ones that were included also in the previous execution of the outgoing feed.

    Every time the outgoing feed task runs, it generates the content for publication by retrieving:

    • Existing entities and observables that were published in the previous execution of the outgoing feed.

    • New entities and observables ingested after the previous execution of the outgoing feed.

  • Diff: this option is available only for the EclecticIQ Entities CSV and EclecticIQ Observables CSV content types.

    Every time the outgoing feed task runs, new data is compared against existing data to identify any differences between the two datasets:

    • At entity level: any entities added to or removed from the set, if EclecticIQ Entities CSV is the designated content type for the feed.

    • At observable level: any observable added to or removed from the entities in the set, if EclecticIQ Observables CSV is the designated content type for the feed.

Depending on the selected CSV content option, each row in the CSV output contains information about one entity being added or removed, or one observable being added or removed.

An extra diff column is added to the output CSV to indicate if a row, and therefore either an entity or an observable, has been added to or removed from the set.

This option enables identifying changes in a feed between two executions without downloading the whole feed every time.

Update strategies rely on the last_updated_at database field to identify entities whose timestamp value was updated since the previous execution of the outgoing feed.

Entities with a more recent timestamp value compared to the previous execution of the outgoing feed are packaged and included in the published content of the outgoing feed.

  • Changes to the data section of an entity create a new version of the entity.

    They also add a new log entry to the entity history to record the changes.

  • Changes to the meta section of an entity do not create a new version of the entity.

    However, they do update the timestamp value of the last_updated_at database field.